GDPR for Will Writing Services: Handling Sensitive Client Data
Will writing sits at one of the most sensitive intersections of personal and legal data. Estate planning clients entrust you with details about their family relationships, financial assets, health conditions, and wishes for death. Under GDPR, this creates a layered set of obligations — some unique to the sector — that go well beyond a standard privacy notice and cookie banner.
This guide covers the key GDPR requirements for will writing services: what data you hold, how to process it lawfully, how long you can keep it, and how to handle the complex situations that arise when a client dies.
Why Estate Planning Data Is Especially Sensitive
Wills and estate planning documents contain some of the most personal information that exists. A typical will file may include:
- Full names, dates of birth, and addresses of the testator and beneficiaries
- Next-of-kin relationships and family structure details
- Details of assets: property, bank accounts, investments, business interests
- Health information (mental capacity assessments, medical evidence)
- Relationship and family conflict details
- Details of vulnerable beneficiaries (minors, those with disabilities)
- Executor identities and contact details
Much of this falls squarely within GDPR's standard personal data category, but some — particularly health and mental capacity information — is special category data under Article 9. Processing special category data requires not just a lawful basis under Article 6, but also a separate condition under Article 9, such as explicit consent or a legal claims basis.
If you instruct clients to sign medical authority forms or obtain GP letters confirming capacity, that health data must be treated with the heightened protections GDPR demands.
Lawful Basis for Processing Client Data
For most of the core will drafting work, the lawful basis is contract (Article 6(1)(b)) — you need the data to perform the service the client has engaged you for. This covers collecting personal and beneficiary details, drafting the will, and corresponding about the engagement.
For ancillary activities — keeping client data after the engagement ends, marketing follow-up, or sharing with third parties beyond what is necessary to fulfil the contract — you will need to identify additional lawful bases:
- Legal obligation: Retaining records in case of future disputes or capacity challenges
- Legitimate interests: Following up with clients about reviewing their will after life events
- Consent: Marketing new services, adding clients to newsletters
Be careful not to rely on legitimate interests for special category data. You will generally need explicit consent or the legal claims condition (Article 9(2)(f)) for processing health or capacity information.
Beneficiary and Next-of-Kin Data
This is an area many will writers overlook. When you record beneficiary details — names, addresses, relationships — you are processing the personal data of individuals who are not your clients and who have not consented to your processing.
Under GDPR, you are still a data controller for that information. Your privacy notice must disclose that you process beneficiary data and explain why. You should only collect the minimum information required (data minimisation principle) and ensure beneficiaries have a way to exercise their data subject rights if they become aware their information is held.
In practice, most beneficiaries will have no knowledge their details are stored in your system. That does not remove your obligations — it just means the information is held without the individual's active awareness, which makes accurate record-keeping and security even more important.
Long-Term Retention: The Will Storage Problem
Wills present a genuine challenge to GDPR's storage limitation principle, which requires you to retain personal data only for as long as necessary. The problem is that wills may need to be kept indefinitely — or at least for the lifetime of the client plus a number of years.
A will is a live legal document until the testator dies. After death, it may be contested for years. The will writing service may need to evidence the circumstances of drafting to rebut a challenge.
A defensible approach is to establish a documented retention policy that:
- Keeps the original will and file while the client is alive (legitimate interest or legal obligation basis)
- Retains files for a defined period after confirmed death — typically seven to fifteen years — to cover probate disputes and professional indemnity exposure
- Schedules genuine deletion or secure destruction at the end of that period unless a legitimate reason exists to retain longer
- Applies data minimisation during the drafting process — don't retain draft versions, attendance notes, or correspondence beyond the period they are operationally needed
The ICO expects you to be able to justify your retention periods, not just state them. Document the reasoning.
Sharing Data with Solicitors and Executors
Will writing often involves third parties: solicitors who store original wills, financial advisers who need to understand the estate structure, executors who need guidance on their duties, and trust companies who may act as professional executor.
Each sharing arrangement should be assessed:
- Data Processor: If the third party processes data solely on your instructions (e.g., a document storage company), you need a Data Processing Agreement under Article 28.
- Separate Data Controller: If the third party will use the data for their own purposes (e.g., a solicitor acting as executor), they become an independent controller and you need to disclose this sharing in your privacy notice.
Do not share client files with executors, beneficiaries, or family members without proper verification of identity and authority. After death, the estate passes to the legal personal representatives — but that does not automatically authorise unlimited data disclosure. Process requests through your documented procedure.
Custodia can scan your website to identify third-party trackers and data-sharing tools that may not be properly disclosed in your privacy documentation.
Deceased Clients and Requests from Families
GDPR gives rights to living individuals. Once a client dies, GDPR no longer applies to their personal data as such. However, this does not mean you can share a deceased person's will or file with anyone who asks.
Practical considerations:
- Executors have a legal right to access estate information, but this is governed by probate law, not GDPR
- Other family members (who may be beneficiaries or not) have no automatic right to information
- Confidentiality obligations may continue to apply after death under professional ethics rules
- Be particularly careful where family disputes exist — improper disclosure in contested estate situations can expose you to legal and professional liability
Establish a clear written procedure for post-death data requests, including what identity verification and authority documentation you require before releasing any information.
Website Lead Forms and Marketing Consent
If your website includes a contact form, quote request form, or lead capture mechanism, GDPR and PECR apply from the first interaction.
Key requirements:
- Your contact form must not pre-tick a marketing consent checkbox
- Any consent for marketing communications must be separate from the service inquiry
- You must clearly state what you will do with submitted data in a privacy notice or link at the point of collection
- If you use a CRM to manage leads, that system must be covered in your data processing records
Many will writing websites use booking tools, quote calculators, or live chat. Each of these may set cookies or transfer data to third parties. Without a properly configured cookie consent banner, you may be breaching PECR before a visitor has even submitted an enquiry.
Email Marketing to Prospects
Building a prospect list through networking, referral partners, or online lead sources and then sending marketing emails is legally complex under PECR.
For existing clients, the soft opt-in may apply: if someone has purchased services from you, you can market similar services by email unless they have opted out, provided you gave them an opt-out opportunity when first collecting their details.
For cold prospects — people who have not previously engaged with you commercially — you need prior consent before sending marketing emails. Purchasing or using third-party lists without verifiable consent records exposes you to ICO enforcement action.
Keep your email marketing consent records: who consented, when, how, and what they consented to. If someone unsubscribes, action that promptly and do not contact them again.
Cloud Storage and Document Security
Will documents and client files are high-value targets for identity theft and fraud. GDPR's security principle (Article 32) requires you to implement appropriate technical and organisational measures.
For will writing services, this means:
- Encrypting stored client files, particularly those containing financial and health information
- Using reputable, GDPR-compliant cloud storage providers with UK or EU data residency (or appropriate safeguards for international transfers)
- Signing Data Processing Agreements with your cloud storage provider, practice management software, and any other SaaS tools that hold client data
- Ensuring backups are encrypted and access-controlled
- Maintaining an access log for sensitive client files
If you use a cloud-based will drafting platform or document management system, verify that the vendor is GDPR-compliant, maintains ISO 27001 or equivalent certification, and can provide a DPA.
Staff Access Controls
Internal access controls are a critical but often overlooked element of GDPR compliance for small will writing practices. Article 32 requires limiting access to personal data to those who need it for their role.
Practical steps:
- Implement role-based access in your practice management system
- Use individual user accounts rather than shared logins
- Review and revoke access when staff leave or change roles
- Train all staff who handle client data on GDPR requirements — including what to do if they receive a data subject request or suspect a breach
- Maintain a record of who has accessed particularly sensitive files
If you use paper files, apply the same principles: locked filing cabinets, clean desk policies, shredding rather than binning documents.
Your GDPR Compliance Checklist
For will writing services, the key areas to address are:
- Lawful basis documented for all processing activities, including special category data
- Privacy notice updated to cover beneficiary data, third-party sharing, and retention periods
- Data Processing Agreements in place with all processors (cloud storage, CRM, practice management software)
- Cookie consent banner correctly configured on your website
- Marketing consent collected and recorded separately from service enquiries
- Retention policy documented with specific periods and deletion triggers
- Post-death data request procedure written and followed
- Staff trained and access controls implemented
- DSAR response procedure in place
How Custodia Can Help
Many will writing websites use analytics tools, booking widgets, and contact forms that process visitor data in ways not fully disclosed in their privacy notices — and without properly configured cookie consent. Custodia scans your website and surfaces these issues in 60 seconds, generating a privacy policy and cookie banner tailored to what your site actually does.
Ready to find out what your website is doing with visitor data? Scan your website free at Custodia and get a compliance report in under a minute.
Last updated: March 2026
Top comments (0)